Download the release on GitHub.
Features
Section titled “Features”PRs 1929-1947
Section titled “PRs 1929-1947”The export command now has a --low-priority option to reduce the priority of
the request while query backlogs are being worked down.
Partition transforms
Section titled “Partition transforms”A new ‘apply’ handler in the index gives plugin authors the ability to apply transforms over entire partitions. Previously, transforms were limited to streams of table slice during import or export.
Add metrics to the index
Section titled “Add metrics to the index”The keys query.backlog.normal and query.backlog.low have been added to the
metrics output. The values indicate the number of quries that are currently in
the backlog.
Changes
Section titled “Changes”Introduce a query backlog in the index
Section titled “Introduce a query backlog in the index”The max-queries configuration option now works at a coarser granularity. It
used to limit the number of queries that could simultaneously retrieve data,
but it now sets the number of queries that can be processed at the same time.
Update xxHash and hashing APIs
Section titled “Update xxHash and hashing APIs”VAST no longer vendors xxHash, which is now a regular required dependency. Internally, VAST switched its default hash function to XXH3, providing a speedup of up to 3x.
Bump minimum required CMake version to 3.18
Section titled “Bump minimum required CMake version to 3.18”Building VAST from source now requires CMake 3.18+.
By @dominiklohmann in #1914.
Prefer reading query from stdin if available
Section titled “Prefer reading query from stdin if available”A recently added features allows for exporting everything when no query is provided. We’ve restricted this to prefer reading a query from stdin if available. Additionally, conflicting ways to read the query now trigger errors.
By @dominiklohmann in #1917.
Bug Fixes
Section titled “Bug Fixes”Automatically add the skip attribute to records in lists
Section titled “Automatically add the skip attribute to records in lists”VAST no longer tries to create indexes for fields of type list<record{...}> as
that wasn’t supported in the first place.
Increase the partition erase timeout to 1 minute
Section titled “Increase the partition erase timeout to 1 minute”The timeout duration to delete partitions has been increased to one minute, reducing the frequency of warnings for hitting this timeout significantly.
Change suricata.dns schema to match current DNS structure
Section titled “Change suricata.dns schema to match current DNS structure”The suricata.dns schema has been updated to match the currently used
EVE-JSON structure output by recent Suricata versions.
Load static plugins only when enabled
Section titled “Load static plugins only when enabled”Static plugins are no longer always loaded, but rather need to be explicitly
enabled as documented. To restore the behavior from before this bug fix, set
vast.plugins: [bundled] in your configuration file.
By @dominiklohmann in #1959.
Update xxHash and hashing APIs
Section titled “Update xxHash and hashing APIs”When reading IPv6 addresses from PCAP data, only the first 4 bytes have been considered. VAST now stores all 16 bytes.
Fix deletion of segments if CWD != dbdir
Section titled “Fix deletion of segments if CWD != dbdir”Store files now get deleted correctly if the database directory differs from the working directory.
Avoid references to record fields in fill_status_map
Section titled “Avoid references to record fields in fill_status_map”Debug builds of VAST no longer segfault on a status request with the --debug
option.